Palo Alto Networks Palo Alto Networks Certifications PCNSE Questions & Answers

• Question 611:

  Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user?

  A. Client Probing

  B. Port mapping

  C. Server monitoring

  D. Syslog listening

  Correct Answer: D

  To obtain user mappings from existing network services that authenticate users--such as wireless controllers, 802.1x devices, Apple Open Directory servers, proxy servers, or other Network Access Control (NAC) mechanisms--Configure User-ID to Monitor Syslog Senders for User Mapping.While you can configure either the Windows agent or the PAN-OS integrated User-ID agent on the firewall to listen for authentication syslog messages from the network services, because only the PAN-OS integrated agent supports syslog listening over TLS, it is the preferred configuration. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/user-id-overview.html https://docs.paloaltonetworks.com/pan-os/8-1/ pan-os-admin/user-id/map-ip-addresses-to- users

• Question 612:

  Refer to the exhibit.

  

  A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server?

  A. Untrust (any) to Untrust (10. 1.1. 100), web browsing ?Allow

  B. Untrust (any) to Untrust (1. 1. 1. 100), web browsing ?Allow

  C. Untrust (any) to DMZ (1. 1. 1. 100), web browsing ?Allow

  D. Untrust (any) to DMZ (10. 1. 1. 100), web browsing ?Allow

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/10-0/pan-os- admin/networking/nat/nat-policy-rules/nat-policy-overview.html https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat- configuration-examples/destination-nat-exampleone-to-many-mapping

• Question 613:

  Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.)

  A. .dll

  B. .exe

  C. .fon

  D. .apk

  E. .pdf

  F. .jar

  Correct Answer: ABC

  As part of the basic subscription, wildwire only submits PE files. This would include .exe .dll .fon and .src

• Question 614:

  An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors. How would the administrator establish the chain of trust?

  A. Use custom certificates

  B. Enable LDAP or RADIUS integration

  C. Set up multi-factor authentication

  D. Configure strong password authentication

  Correct Answer: A

  Reference:

  https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/pa norama-overview/plan-your- panorama-deployment

• Question 615:

  If the firewall has the link monitoring configuration, what will cause a failover?

  

  A. ethernet1/3 and ethernet1/6 going down

  B. ethernet1/3 going down C. ethernet1/3 or Ethernet1/6 going down

  D. ethernet1/6 going down

  Correct Answer: A

• Question 616:

  Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.)

  A. Short message service

  B. Push

  C. User logon

  D. Voice

  E. SSH key

  F. One-Time Password

  Correct Answer: ABDF

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os- admin/authentication/authentication-types/multi-factor-authentication Push - An endpoint device (such as a phone or tablet) prompts the user to allow or deny authentication. Short

  message service (SMS) - An SMS message on the endpoint device prompts the user to allow or deny authentication. In some cases, the endpoint device provides a code that the user must enter in the MFA login page.

  Voice - An automated phone call prompts the user to authenticate by pressing a key on the phone or entering a code in the MFA login page.

  One-time password (OTP) - An endpoint device provides an automatically generated alphanumeric string, which the user enters in the MFA login page to enable authentication for a single transaction or session.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication- types/multi-factor-authentication.html#idbc927952-a47e-4bec-ab80-0605a47b4873

• Question 617:

  A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

  Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443?

  A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow

  B. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2:application: ssl; service: application-default; action: allow

  C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow

  D. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow

  Correct Answer: B

• Question 618:

  Which CLI command enables an administrator to check the CPU utilization of the dataplane?

  A. show running resource-monitor

  B. debug data-plane dp-cpu

  C. show system resources

  D. debug running resources

  Correct Answer: A

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXwCAK https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluDCAS

• Question 619:

  Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone?

  The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall.

  A. Zone Pair: Source Zone: Internet Destination Zone: DMZ Rule Type: "intrazone"

  B. Zone Pair: Source Zone: Internet Destination Zone: DMZ Rule Type: "intrazone" or "universal"

  C. Zone Pair: Source Zone: Internet Destination Zone: Internet Rule Type: "intrazone" or "universal"

  D. Zone Pair: Source Zone: Internet Destination Zone: Internet Rule Type: "intrazone"

  Correct Answer: B

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/zone-protection-and-dos- protection/zone-defense/zone-defense-tools.html

  https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/nat/nat- configuration-examples/destination-nat-exampleone-to-one-mapping

• Question 620:

  Which administrative authentication method supports authorization by an external service?

  A. Certificates

  B. LDAP

  C. RADIUS

  D. SSH keys

  Correct Answer: C

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall- administration/manage-firewall-administrators/administrative-authentication